Wednesday, March 31, 2010

CMS Explorer (or: what's that CMS running?)

As a developer, as well as a penetration tester, it's often helpful to know what components a site uses to turn it from a vanilla content management system (CMS) into a more useful site. Besides Mediawiki, I'm not aware of any CMS which publicly lists installed components--so the only way you can figure it out is manually or through small clues on the site.

CMS Explorer is an attempt to automate this component discovery. By brute-force requesting directory names for plugins and themes (and with "normal" HTTP responses--at least for now), we can determine which directories exist, and thus which components are installed. The end result is a list of installed items:


What makes CMS Explorer powerful for penetration testing is what happens next. If you use the -explore option with Drupal or Wordpress, the program will pull a list of potentially-existing files directly from the respective CMS code repositories, and then request those files from your target

And just to make it a little more useful (especially "explore" mode), you can also specify a "bootstrap" proxy. If defined, any found file will be requested a second time using this proxy--so you can prime up your favorite proxy (such as Burp or Paros) for doing actual security testing of those files. This proxy is distinct for found items rather than your main scanning proxy, in case you have one of those setups.

And lastly, if you supply an OSVDB.org API key, it can search and report back a list of potential issues in the installed component.

CMS Explorer is currently set up to test Drupal, Wordpress and Joomla!/Mambo, with exploration support for Drupal and Wordpress. It is written in PERL and licensed under the GNU GPLv3.

7 comments:

  1. As both a Joomla dev and security person, I am glad to see a CMS focused security tool. As CMSes grow in popularity, it will become a prime target for attackers, especially with the relative ease of writing an extension for a CMS. I believe a I recently saw an optional Joomla extension which will show the "credits" for the app installed, but that is of course optional and probably not optimal as far as security is concerned.

    This may also come in handy when doing troubleshooting or just general consulting. Can't wait to try it out.

    ReplyDelete
  2. Yes, there is the Firefox Add-on called Wappalizer which can do the same job. Lets checkout CMS Explorer can beat it or not...;)

    ReplyDelete
  3. They really go hand-in-hand, as Wappalyzer will tell you what software is running (Wordpress, etc.) and CMS-Explorer will tell you what components are installed for the software. Ideally, you'd run CMS-Explorer after you know what the site has... thought the dev version of CMS-Explorer has some rudimentary support for identifying Joomla, Mambo, Drupal and Wordpress.

    ReplyDelete
  4. You might want to write a module for Typo3. Maybe it is not so widely spread in the US but it´s a major deal in Europe.

    ReplyDelete
  5. @Marco - I was toying with Typo3 actually, and think except for some minor hitch it's working. I'll dust it off and see if I can get the code checked in this week.

    ReplyDelete
  6. Actually CMS explorer is designed to deal with such testing, it can assist security testing by seeing some similar vulnerabilities.

    ReplyDelete
  7. definitely going to use it and shall update here about my exp

    ReplyDelete